On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
Greetings all;
I have just upgraded then updated as much as possible, an F8
install to
F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
run without console-kit-daemon I find, but I went so far as to
touch
/.autorelabel & reboot & leave it to contemplate its sins for an
hour or
so as there is nearly 2TB of drives here. Didn't help.
So Now I have selinux disabled, and everything it working. Can
this be
addressed?
Can you show use the avc denials related to your issues? avc denials
are
sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
command. For example use: ausearch -m avc -ts today, to retrieve
today's
avc denials.
None today, I turned it off, yesterdays is attached.
You state that you updated as much as possible. What did you not
update?
About 70 packages are left, all the java stuff cuz I've installed from
Sun,
I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by
hand and some of the menus are still fubar) and anytime I do a -devel,
it
barfs over strigi. What the heck does that thing do anywho?
I also am not running the F10 kernel cuz I have to set stakes and call
a
surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am
building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
says
275-300 fps and I can tolerate it. Anyway, from the yumex screen:
14:05:14 : Error in Dependency Resolution 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by
package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
updates) Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by
package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
(rpmfusion-nonfree-updates) Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
devel-0.5.11-1.fc10.i386 (fedora)
I might be able to get a list of updates (if you need them) not done
from yum.
I use yumex most of the time.
Thanks Dominick
No that is fine, thanks. Which version of selinux-policy is currently installed?
I picked a few of the denials out of there and both were allowed in the rawhide policy.
This leads me to think that either you are running a old version of the selinux-policy or that the fixes in rawhide policy have not been pushed to Fedora 10 policy yet.
I'll go for the latter as there isn't an update available. [root@coyote Documents]# rpm -qa|grep policy checkpolicy-2.0.16-3.fc10.i386 selinux-policy-3.5.13-18.fc10.noarch policycoreutils-2.0.57-11.fc10.i386 policycoreutils-gui-2.0.57-11.fc10.i386 selinux-policy-targeted-3.5.13-18.fc10.noarch
I either case you can create custom policies to allow these denials.
A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M mydenials; /usr/sbin/semodule -i mydenials.pp
And that upchucks. It generates mydenials.pp, then: [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
Looks like I may be missing something?
Can you give me to output of sestatus?
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
You might also consider /usr/sbin/semodule -b base.pp (this should replace the base module)
man semodule
This looks like something that could have gone wrong during the upgrade.
It claims that a MLS base module is installed but you have installed selinux-policy-targeted
you should really c.c. fedora-selinux-list so that knowledgeable people like dwalsh can give suggestions as well.
caution: i did not review all denials in your list, however most look like they should be allowed.
You should not let issues like these persuade you to disable SELinux. You can also run SELinux is permissive mode which will act as an intrusion detection system but will not prevent policy violations.
I am not terribly paranoid about running selinux, Dominick, I have all my local network behind an x86 version of dd-wrt & its locked up pretty tight. selinux is last ditch. In 2 years, no one has gotten past dd-wrt that I didn't first give them the password to it. I see my running it as more of the playing of a role, that of the canary in the coal mine if you will.
hth , Dominick
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote:
Greetings all;
I have just upgraded then updated as much as possible, an F8
install to
F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
run without console-kit-daemon I find, but I went so far as to
touch
/.autorelabel & reboot & leave it to contemplate its sins for an
hour or
so as there is nearly 2TB of drives here. Didn't help.
So Now I have selinux disabled, and everything it working. Can
this be
addressed?
Can you show use the avc denials related to your issues? avc denials
are
sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
command. For example use: ausearch -m avc -ts today, to retrieve
today's
avc denials.
None today, I turned it off, yesterdays is attached.
You state that you updated as much as possible. What did you not
update?
About 70 packages are left, all the java stuff cuz I've installed from
Sun,
I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by
hand and some of the menus are still fubar) and anytime I do a -devel,
it
barfs over strigi. What the heck does that thing do anywho?
I also am not running the F10 kernel cuz I have to set stakes and call
a
surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am
building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
says
275-300 fps and I can tolerate it. Anyway, from the yumex screen:
14:05:14 : Error in Dependency Resolution 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by
package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
updates) Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by
package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
(rpmfusion-nonfree-updates) Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
devel-0.5.11-1.fc10.i386 (fedora)
I might be able to get a list of updates (if you need them) not done
from yum.
I use yumex most of the time.
Thanks Dominick
No that is fine, thanks. Which version of selinux-policy is currently installed?
I picked a few of the denials out of there and both were allowed in the rawhide policy.
This leads me to think that either you are running a old version of the selinux-policy or that the fixes in rawhide policy have not been pushed to Fedora 10 policy yet.
I'll go for the latter as there isn't an update available. [root@coyote Documents]# rpm -qa|grep policy checkpolicy-2.0.16-3.fc10.i386 selinux-policy-3.5.13-18.fc10.noarch policycoreutils-2.0.57-11.fc10.i386 policycoreutils-gui-2.0.57-11.fc10.i386 selinux-policy-targeted-3.5.13-18.fc10.noarch
I either case you can create custom policies to allow these denials.
A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M mydenials; /usr/sbin/semodule -i mydenials.pp
And that upchucks. It generates mydenials.pp, then: [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
Looks like I may be missing something?
Can you give me to output of sestatus?
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
Fails exactly the same. Does selinux=disabled screw with that?
You might also consider /usr/sbin/semodule -b base.pp (this should replace the base module)
Are you sure I want to do that?
man semodule
This looks like something that could have gone wrong during the upgrade.
It won't be the first time. When I went from f6 to f8, lots of stuff was busted, stuff the guru's said could not happen, but did to me. One whole section of the install was skipped & I had to go pull in about 200 packages by hand.
It claims that a MLS base module is installed but you have installed selinux-policy-targeted
And that is how I'm normally configured.
you should really c.c. fedora-selinux-list so that knowledgeable people like dwalsh can give suggestions as well.
Duh, sorry. Your reply showed up in the list folder so I didn't hit reply- all, added now.
caution: i did not review all denials in your list, however most look like they should be allowed.
You should not let issues like these persuade you to disable SELinux. You can also run SELinux is permissive mode which will act as an intrusion detection system but will not prevent policy violations.
I am not terribly paranoid about running selinux, Dominick, I have all my local network behind an x86 version of dd-wrt & its locked up pretty tight. selinux is last ditch. In 2 years, no one has gotten past dd-wrt that I didn't first give them the password to it. I see my running it as more of the playing of a role, that of the canary in the coal mine if you will.
hth , Dominick
On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: > Greetings all; > > I have just upgraded then updated as much as possible, an F8
install to
> F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
> run without console-kit-daemon I find, but I went so far as to
touch
> /.autorelabel & reboot & leave it to contemplate its sins for an
hour or
> so as there is nearly 2TB of drives here. Didn't help. > > So Now I have selinux disabled, and everything it working. Can
this be
> addressed?
Can you show use the avc denials related to your issues? avc denials
are
sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
command. For example use: ausearch -m avc -ts today, to retrieve
today's
avc denials.
None today, I turned it off, yesterdays is attached.
You state that you updated as much as possible. What did you not
update?
About 70 packages are left, all the java stuff cuz I've installed from
Sun,
I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by
hand and some of the menus are still fubar) and anytime I do a -devel,
it
barfs over strigi. What the heck does that thing do anywho?
I also am not running the F10 kernel cuz I have to set stakes and call
a
surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am
building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
says
275-300 fps and I can tolerate it. Anyway, from the yumex screen:
14:05:14 : Error in Dependency Resolution 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by
package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
updates) Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by
package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
(rpmfusion-nonfree-updates) Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
devel-0.5.11-1.fc10.i386 (fedora)
I might be able to get a list of updates (if you need them) not done
from yum.
I use yumex most of the time.
Thanks Dominick
No that is fine, thanks. Which version of selinux-policy is currently installed?
I picked a few of the denials out of there and both were allowed in the rawhide policy.
This leads me to think that either you are running a old version of the selinux-policy or that the fixes in rawhide policy have not been pushed to Fedora 10 policy yet.
I'll go for the latter as there isn't an update available. [root@coyote Documents]# rpm -qa|grep policy checkpolicy-2.0.16-3.fc10.i386 selinux-policy-3.5.13-18.fc10.noarch policycoreutils-2.0.57-11.fc10.i386 policycoreutils-gui-2.0.57-11.fc10.i386 selinux-policy-targeted-3.5.13-18.fc10.noarch
I either case you can create custom policies to allow these denials.
A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M mydenials; /usr/sbin/semodule -i mydenials.pp
And that upchucks. It generates mydenials.pp, then: [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
Looks like I may be missing something?
Can you give me to output of sestatus?
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
Fails exactly the same. Does selinux=disabled screw with that?
Well you should have SELinux enabled when you install the module. Enable it first.
You might also consider /usr/sbin/semodule -b base.pp (this should replace the base module)
Are you sure I want to do that?
Not totally sure. No. First enable SELinux. Then try to install the policy module again. If that does not work consider replacing base.pp.
The error suggests that base.pp is for MLS policy. This should not be the case.
man semodule
This looks like something that could have gone wrong during the upgrade.
It won't be the first time. When I went from f6 to f8, lots of stuff was busted, stuff the guru's said could not happen, but did to me. One whole section of the install was skipped & I had to go pull in about 200 packages by hand.
It claims that a MLS base module is installed but you have installed selinux-policy-targeted
And that is how I'm normally configured.
you should really c.c. fedora-selinux-list so that knowledgeable people like dwalsh can give suggestions as well.
Duh, sorry. Your reply showed up in the list folder so I didn't hit reply- all, added now.
caution: i did not review all denials in your list, however most look like they should be allowed.
You should not let issues like these persuade you to disable SELinux. You can also run SELinux is permissive mode which will act as an intrusion detection system but will not prevent policy violations.
I am not terribly paranoid about running selinux, Dominick, I have all my local network behind an x86 version of dd-wrt & its locked up pretty tight. selinux is last ditch. In 2 years, no one has gotten past dd-wrt that I didn't first give them the password to it. I see my running it as more of the playing of a role, that of the canary in the coal mine if you will.
hth , Dominick
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote: >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: >> Greetings all; >> >> I have just upgraded then updated as much as possible, an F8
install to
>> F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
>> run without console-kit-daemon I find, but I went so far as to
touch
>> /.autorelabel & reboot & leave it to contemplate its sins for an
hour or
>> so as there is nearly 2TB of drives here. Didn't help. >> >> So Now I have selinux disabled, and everything it working. Can
this be
>> addressed? > >Can you show use the avc denials related to your issues? avc > denials
are
>sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
>command. For example use: ausearch -m avc -ts today, to retrieve
today's
>avc denials.
None today, I turned it off, yesterdays is attached.
>You state that you updated as much as possible. What did you not
update?
About 70 packages are left, all the java stuff cuz I've installed from
Sun,
I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by
hand and some of the menus are still fubar) and anytime I do a -devel,
it
barfs over strigi. What the heck does that thing do anywho?
I also am not running the F10 kernel cuz I have to set stakes and call
a
surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am
building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now glxgears
says
275-300 fps and I can tolerate it. Anyway, from the yumex screen:
14:05:14 : Error in Dependency Resolution 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by
package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
updates) Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by
package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
(rpmfusion-nonfree-updates) Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
devel-0.5.11-1.fc10.i386 (fedora)
I might be able to get a list of updates (if you need them) not done
from yum.
I use yumex most of the time.
Thanks Dominick
No that is fine, thanks. Which version of selinux-policy is currently installed?
I picked a few of the denials out of there and both were allowed in the rawhide policy.
This leads me to think that either you are running a old version of the selinux-policy or that the fixes in rawhide policy have not been pushed to Fedora 10 policy yet.
I'll go for the latter as there isn't an update available. [root@coyote Documents]# rpm -qa|grep policy checkpolicy-2.0.16-3.fc10.i386 selinux-policy-3.5.13-18.fc10.noarch policycoreutils-2.0.57-11.fc10.i386 policycoreutils-gui-2.0.57-11.fc10.i386 selinux-policy-targeted-3.5.13-18.fc10.noarch
I either case you can create custom policies to allow these denials.
A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M mydenials; /usr/sbin/semodule -i mydenials.pp
And that upchucks. It generates mydenials.pp, then: [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
Looks like I may be missing something?
Can you give me to output of sestatus?
This is after the reboot/relabel, using this /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enabeled
# SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
[root@coyote radeon]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success) Policy version: 24 Policy from config file: targeted
and that looks completely fubar to me. But since its 'permissive', consolekit is running, but sealert is popping up about every 30 seconds. Its fussing about console-kit-history now. WTH?
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
Fails exactly the same. Does selinux=disabled screw with that?
Well you should have SELinux enabled when you install the module. Enable it first.
You might also consider /usr/sbin/semodule -b base.pp (this should replace the base module)
ohhkayy
Turned it back on, rebooted, relabeled, and:
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
[root@coyote Documents]# /usr/sbin/semodule -b base.pp /usr/sbin/semodule: Could not read file 'base.pp': No such file or directory [root@coyote Documents]# locate base.pp /etc/selinux/targeted/modules/active/base.pp /usr/share/selinux/targeted/base.pp.bz2
[root@coyote targeted]# ls -l `locate base.pp` -rw------- 1 root root 16771501 2009-02-26 18:38 /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
So which one is right? I'm getting a headache. :(
So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was about half the size. I think this is the same error again. [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
And that bunzip2 operation of course generated this: [root@coyote Documents]# rpm -V `rpm -qa|grep targeted` missing /usr/share/selinux/targeted/base.pp.bz2
So I did a bzip2 -k base.pp, and now rpm -V is happy again.
Sounds like I need to manually nuke whats in etc and force rpm to re-install? Unforch, /var/cache/yum is devoid of any F10 files, I just checked.
Your turn coach. :)
Not totally sure. No. First enable SELinux. Then try to install the policy module again. If that does not work consider replacing base.pp.
The error suggests that base.pp is for MLS policy. This should not be the case.
man semodule
This looks like something that could have gone wrong during the upgrade.
It won't be the first time. When I went from f6 to f8, lots of stuff was busted, stuff the guru's said could not happen, but did to me. One whole section of the install was skipped & I had to go pull in about 200 packages by hand.
It claims that a MLS base module is installed but you have installed selinux-policy-targeted
And that is how I'm normally configured.
On Feb 28, 2009, at 5:18 PM, Gene Heskett wrote:
... # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enabeled
enabeled (other than being misspelled) is not a valid choice (enforcing, permissive, disabled)
... [root@coyote radeon]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success)
because the mode from the config file is not correct
joe
On Saturday 28 February 2009, Joe Nall wrote:
On Feb 28, 2009, at 5:18 PM, Gene Heskett wrote:
... # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enabeled
enabeled (other than being misspelled) is not a valid choice (enforcing, permissive, disabled)
Duh, by George you're right. But I can't see fixing that till we get the base.pp problem fixed.
... [root@coyote radeon]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success)
because the mode from the config file is not correct
joe
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote: > On Saturday 28 February 2009, Dominick Grift wrote: > >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: > >> Greetings all; > >> > >> I have just upgraded then updated as much as possible, an F8
install to
> >> F10. selinux is now denying ConsoleKit and friends, and awstats.
F10 will
> >> run without console-kit-daemon I find, but I went so far as to
touch
> >> /.autorelabel & reboot & leave it to contemplate its sins for an
hour or
> >> so as there is nearly 2TB of drives here. Didn't help. > >> > >> So Now I have selinux disabled, and everything it working. Can
this be
> >> addressed? > > > >Can you show use the avc denials related to your issues? avc > > denials
are
> >sent to /var/log/audit/audit.log and can be retrieved with the
ausearch
> >command. For example use: ausearch -m avc -ts today, to retrieve
today's
> >avc denials. > > None today, I turned it off, yesterdays is attached. > > >You state that you updated as much as possible. What did you not
update?
> About 70 packages are left, all the java stuff cuz I've installed > from
Sun,
> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix that
up by
> hand and some of the menus are still fubar) and anytime I do a > -devel,
it
> barfs over strigi. What the heck does that thing do anywho? > > I also am not running the F10 kernel cuz I have to set stakes and > call
a
> surveyer to measure screen scrolling speed, so I'm running 2.6.28.7
and am
> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now > glxgears
says
> 275-300 fps and I can tolerate it. Anyway, from the yumex screen: > > 14:05:14 : Error in Dependency Resolution > 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is needed
by
> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386
(rpmfusion-free-
> updates) > Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 is
needed by
> package
kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686
> (rpmfusion-nonfree-updates) > Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by package
strigi-
> devel-0.5.11-1.fc10.i386 (fedora) > > I might be able to get a list of updates (if you need them) not done
from yum.
> I use yumex most of the time. > > Thanks Dominick
No that is fine, thanks. Which version of selinux-policy is currently installed?
I picked a few of the denials out of there and both were allowed in the rawhide policy.
This leads me to think that either you are running a old version of the selinux-policy or that the fixes in rawhide policy have not been pushed to Fedora 10 policy yet.
I'll go for the latter as there isn't an update available. [root@coyote Documents]# rpm -qa|grep policy checkpolicy-2.0.16-3.fc10.i386 selinux-policy-3.5.13-18.fc10.noarch policycoreutils-2.0.57-11.fc10.i386 policycoreutils-gui-2.0.57-11.fc10.i386 selinux-policy-targeted-3.5.13-18.fc10.noarch
I either case you can create custom policies to allow these denials.
A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M mydenials; /usr/sbin/semodule -i mydenials.pp
And that upchucks. It generates mydenials.pp, then: [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
Looks like I may be missing something?
Can you give me to output of sestatus?
This is after the reboot/relabel, using this /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enabeled
should read enforcing or permissive
# SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
[root@coyote radeon]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success)
This looks wrong. see above
Policy version: 24 Policy from config file: targeted
and that looks completely fubar to me. But since its 'permissive', consolekit is running, but sealert is popping up about every 30 seconds. Its fussing about console-kit-history now. WTH?
You can easily disable setroubleshoot:
service setroubleshoot stop ( to disable it by default: chkconfig setroubleshoot off )
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
Fails exactly the same. Does selinux=disabled screw with that?
Well you should have SELinux enabled when you install the module. Enable it first.
You might also consider /usr/sbin/semodule -b base.pp (this should replace the base module)
ohhkayy
Turned it back on, rebooted, relabeled, and:
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
[root@coyote Documents]# /usr/sbin/semodule -b base.pp /usr/sbin/semodule: Could not read file 'base.pp': No such file or directory [root@coyote Documents]# locate base.pp /etc/selinux/targeted/modules/active/base.pp /usr/share/selinux/targeted/base.pp.bz2
[root@coyote targeted]# ls -l `locate base.pp` -rw------- 1 root root 16771501 2009-02-26 18:38 /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
So which one is right? I'm getting a headache. :(
the one in /etc is active. The one is /usr is used to generate it i believe
So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was about half the size. I think this is the same error again. [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
And that bunzip2 operation of course generated this: [root@coyote Documents]# rpm -V `rpm -qa|grep targeted` missing /usr/share/selinux/targeted/base.pp.bz2
So I did a bzip2 -k base.pp, and now rpm -V is happy again.
Sounds like I need to manually nuke whats in etc and force rpm to re-install? Unforch, /var/cache/yum is devoid of any F10 files, I just checked.
Your turn coach. :)
You could try: rpm -Uvh --replacefiles --replacepkgs selinux-policy and selinux-policy-targeted then make sure your base.pp is fresh (try semodule -B)
Not totally sure. No. First enable SELinux. Then try to install the policy module again. If that does not work consider replacing base.pp.
The error suggests that base.pp is for MLS policy. This should not be the case.
man semodule
This looks like something that could have gone wrong during the upgrade.
It won't be the first time. When I went from f6 to f8, lots of stuff was busted, stuff the guru's said could not happen, but did to me. One whole section of the install was skipped & I had to go pull in about 200 packages by hand.
It claims that a MLS base module is installed but you have installed selinux-policy-targeted
And that is how I'm normally configured.
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote: >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote: >> On Saturday 28 February 2009, Dominick Grift wrote: >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: >> >> Greetings all; >> >> >> >> I have just upgraded then updated as much as possible, an F8 > >install to > >> >> F10. selinux is now denying ConsoleKit and friends, and >> >> awstats. > >F10 will > >> >> run without console-kit-daemon I find, but I went so far as to > >touch > >> >> /.autorelabel & reboot & leave it to contemplate its sins for >> >> an > >hour or > >> >> so as there is nearly 2TB of drives here. Didn't help. >> >> >> >> So Now I have selinux disabled, and everything it working. >> >> Can > >this be > >> >> addressed? >> > >> >Can you show use the avc denials related to your issues? avc >> > denials > >are > >> >sent to /var/log/audit/audit.log and can be retrieved with the > >ausearch > >> >command. For example use: ausearch -m avc -ts today, to retrieve > >today's > >> >avc denials. >> >> None today, I turned it off, yesterdays is attached. >> >> >You state that you updated as much as possible. What did you not > >update? > >> About 70 packages are left, all the java stuff cuz I've installed >> from > >Sun, > >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix >> that > >up by > >> hand and some of the menus are still fubar) and anytime I do a >> -devel, > >it > >> barfs over strigi. What the heck does that thing do anywho? >> >> I also am not running the F10 kernel cuz I have to set stakes and >> call > >a > >> surveyer to measure screen scrolling speed, so I'm running >> 2.6.28.7 > >and am > >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now >> glxgears > >says > >> 275-300 fps and I can tolerate it. Anyway, from the yumex >> screen: >> >> 14:05:14 : Error in Dependency Resolution >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is >> needed > >by > >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386 > >(rpmfusion-free- > >> updates) >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 >> is > >needed by > >> package > >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686 > >> (rpmfusion-nonfree-updates) >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by >> package > >strigi- > >> devel-0.5.11-1.fc10.i386 (fedora) >> >> I might be able to get a list of updates (if you need them) not >> done > >from yum. > >> I use yumex most of the time. >> >> Thanks Dominick > >No that is fine, thanks. Which version of selinux-policy is > currently installed? > >I picked a few of the denials out of there and both were allowed in > the rawhide policy. > >This leads me to think that either you are running a old version of > the selinux-policy or that the fixes in rawhide policy have not > been pushed to Fedora 10 policy yet.
I'll go for the latter as there isn't an update available. [root@coyote Documents]# rpm -qa|grep policy checkpolicy-2.0.16-3.fc10.i386 selinux-policy-3.5.13-18.fc10.noarch policycoreutils-2.0.57-11.fc10.i386 policycoreutils-gui-2.0.57-11.fc10.i386 selinux-policy-targeted-3.5.13-18.fc10.noarch
>I either case you can create custom policies to allow these > denials. > >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M >mydenials; /usr/sbin/semodule -i mydenials.pp
And that upchucks. It generates mydenials.pp, then: [root@coyote Documents]# /usr/sbin/semodule -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
Looks like I may be missing something?
Can you give me to output of sestatus?
This is after the reboot/relabel, using this /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enabeled
should read enforcing or permissive
# SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
[root@coyote radeon]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success)
This looks wrong. see above
Policy version: 24 Policy from config file: targeted
and that looks completely fubar to me. But since its 'permissive', consolekit is running, but sealert is popping up about every 30 seconds. Its fussing about console-kit-history now. WTH?
You can easily disable setroubleshoot:
service setroubleshoot stop ( to disable it by default: chkconfig setroubleshoot off )
you could try /usr/sbin/semodule -s targeted -i mydenials.pp
Fails exactly the same. Does selinux=disabled screw with that?
Well you should have SELinux enabled when you install the module. Enable it first.
You might also consider /usr/sbin/semodule -b base.pp (this should replace the base module)
ohhkayy
Turned it back on, rebooted, relabeled, and:
[root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
[root@coyote Documents]# /usr/sbin/semodule -b base.pp /usr/sbin/semodule: Could not read file 'base.pp': No such file or directory [root@coyote Documents]# locate base.pp /etc/selinux/targeted/modules/active/base.pp /usr/share/selinux/targeted/base.pp.bz2
[root@coyote targeted]# ls -l `locate base.pp` -rw------- 1 root root 16771501 2009-02-26 18:38 /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2
So which one is right? I'm getting a headache. :(
the one in /etc is active. The one is /usr is used to generate it i believe
So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was about half the size. I think this is the same error again. [root@coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed!
And that bunzip2 operation of course generated this: [root@coyote Documents]# rpm -V `rpm -qa|grep targeted` missing /usr/share/selinux/targeted/base.pp.bz2
So I did a bzip2 -k base.pp, and now rpm -V is happy again.
Sounds like I need to manually nuke whats in etc and force rpm to re-install? Unforch, /var/cache/yum is devoid of any F10 files, I just checked.
Your turn coach. :)
You could try: rpm -Uvh --replacefiles --replacepkgs selinux-policy and selinux-policy-targeted
then make sure your base.pp is fresh (try semodule -B)
Where do I get the policy and policy-targeted rpms? /var/cache/yum is empty of any F10 stuff.
How about I use the ones on the install dvd? Then if they are old, yumex can replace them.
Not totally sure. No. First enable SELinux. Then try to install the policy module again. If that does not work consider replacing base.pp.
The error suggests that base.pp is for MLS policy. This should not be the case.
man semodule
This looks like something that could have gone wrong during the upgrade.
I'll second that thought. Thanks Dominick
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
You could try: rpm -Uvh --replacefiles --replacepkgs selinux-policy and selinux-policy-targeted then make sure your base.pp is fresh (try semodule -B)
Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same with selinux-policy- targeted, I'm right back to square one:
[root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute pki_kra_port_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
A somewhat different error message that might be a bit more enlightening to someone who actually knows what it means, but its swahili to me. :)
So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands?
Your turn, Coach. :)
On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
You could try: rpm -Uvh --replacefiles --replacepkgs selinux-policy and selinux-policy-targeted then make sure your base.pp is fresh (try semodule -B)
Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same with selinux-policy- targeted, I'm right back to square one:
[root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute pki_kra_port_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
A somewhat different error message that might be a bit more enlightening to someone who actually knows what it means, but its swahili to me. :)
So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands?
Your turn, Coach. :)
You can get the latest packages from koji.fedoraproject.org/koji or your local fedora mirror.
The error above looks like a bug in policy.
Make sure that if you install the latest selinux policy for f10 from koji, that you install both: selinux-policy as well as selinux-policy-targeted.
On Sunday 01 March 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote:
On Saturday 28 February 2009, Dominick Grift wrote:
On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote:
You could try: rpm -Uvh --replacefiles --replacepkgs selinux-policy and selinux-policy-targeted then make sure your base.pp is fresh (try semodule -B)
Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same with selinux-policy- targeted, I'm right back to square one:
[root@coyote Packages]# rpm -Uvh --replacefiles --replacepkgs selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute pki_kra_port_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
A somewhat different error message that might be a bit more enlightening to someone who actually knows what it means, but its swahili to me. :)
So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands?
Your turn, Coach. :)
You can get the latest packages from koji.fedoraproject.org/koji or your local fedora mirror.
The error above looks like a bug in policy.
Make sure that if you install the latest selinux policy for f10 from koji, that you install both: selinux-policy as well as selinux-policy-targeted.
I found late yesterday that the updates repo in my yum-repos.d was disabled. Enabling that & pulling in several hundred more updates, I have not seen another alert since I installed those updated ones. No idea where they came from, just some yum mirror I have to assume lacking more info.
Maybe we can lay this one to rest, and I can go back to "enforcing" since its permissive due to a miss-spelling of enforcing in the config. Sorry for the noise, my apologies.
selinux@lists.fedoraproject.org
-
Dominick Grift -
Gene Heskett -
Joe Nall